This is the last of the series. Here’s the other parts of this whole thing.
What do I mean by security?
So security can mean many things. I don’t want to only focus on whether , the web site is encrypted and behind a login using common and known to be effective standards. We all pretty much take that for granted and both vertical and horizontal vendors will support it. They will be able to match those needs to the industry. Banking for example will probably require two factor authentication. No offense to services and distribution but they probably wouldn’t require two factor authentication.
By security, I also mean the following:
- What are the roles you allow and how much flexibility exists in your security model. Can I add a group? Can I hook it up to my existing ldap? etc. Many would call something like this identify management and delegated administration
- Can the portal do Single Sign On (SSO). The portal itself may not need to offer SSO but it better integrate easily to a variety of SSO products.
It doesn’t sound like much but believe me it is. Every single vendor on the market is constantly asked about this and even when a portal vendor provides a variety of tools or capabilities, it still takes time, forethought, and effort to get this type of security right.
Vertical Portal Vendors
Vertical portal vendors can create secure sites. Obviously you need to do your due diligence but the approach to secure login, site encryption, etc are well known. Three tier architectures to secure the data in the appropriate location is also well known. Decent programmers with even a little amount of knowledge can and do get that right.
Most vertical portals should have a set of roles that allow you to define what a person can do on the site. I’ve seen some that tell you the role and provide very little flexibility beyond that. That’s one reason why I would rank a vertical vendor light green.
Finally, vertical portal vendors probably won’t be able to say, “We’ve got SSO covered. We integrate to TAM, OAM, Open AM, Ping, and others.” That’s not the end of the world. These SSO vendors know how to drop a cookie on a site or embed something in the http header. It may take a little work but in 99% of the vertical products, it can be done.
One area related to SSO that I would rank vertical portals lower is on how to store someones credentials so you can pass it to a back end system. This is an integration use case. It’s also fairly common in the horizontal portal world. It may not be relevant to a vertical portal if they already figured out every single integration point but if not, then it’s a gap. That said, you could create your own credential vault. It’s more development effort of course but it’s not all that complicated.
Horizontal Portal Vendors
Horizontal portal vendors get fun security questions from government agencies, banks, insurance companies, and a host of other industries. They’ve had to take the hard questions and answer them. That means that they are ready to answer everything having to do with encryption, hardened architecture, ability to meet specific security standards, etc. They deserve a dark green rating.
Also, all the horizontal portal vendors integrate to an ldap and provide for the ability to create roles, match groups to roles, match users to roles, etc. They all have, to varying degrees, the concept of delegated administration. They get a dark green rating here as well.
Every portal vendor has had to integrate to CA Siteminder, IBM TAM, Oracle Access Manager, and even Open AM. If they don’t support it out of the box, they at least have the hooks in place to ensure it can be done. Many of the SSO vendors have already made special efforts to integrate IBM, Oracle, and Microsoft Portal products. They get a dark green again.
Finally, three out of four portal vendors have an existing concept of a credential vault. You need to verify but they should be up to the task of simplifying the security behind back end integration.
Combined Portal Vendors
Combined Portal vendors, like many other areas, have a good life. They can reuse what the horizontal vendor has already done. Security is important enough that few vertical vendors will dare interfere with the way security and roles work. They will choose to reuse what’s already there and to reuse it correctly. After all, it’s too easy to lose a sale if there’s even a whiff that your product doesn’t cut the mustard from a security standpoint. That’s why I rank them dark green here.